Executive Summary
In May 2026, the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, initiated a series of coordinated extortion attacks targeting U.S. law firms. These incidents have been officially confirmed by the Federal Bureau of Investigation (FBI) and the Internet Crime Complaint Center (IC3), with corroboration from multiple independent cybersecurity research organizations. The SRG campaign is characterized by the use of vishing (voice phishing), phishing emails, and remote access tools to gain unauthorized access to sensitive legal sector data. Unlike traditional ransomware operations, SRG does not encrypt files but instead exfiltrates confidential information, including client files, internal communications, financial records, and regulatory documents, and then demands payment under threat of public disclosure. The legal sector is particularly vulnerable due to the high value and sensitivity of client data, as well as strict regulatory obligations. The operational, reputational, and regulatory risks posed by these attacks are significant. Official guidance from the FBI and IC3 emphasizes the urgent need for multi-factor authentication (MFA), employee security awareness training, and robust incident response planning. All major claims in this report are substantiated by law enforcement advisories and technical analyses from reputable sources.
Technical Information
The Silent Ransom Group (SRG) employs a multi-stage attack methodology that leverages both social engineering and technical exploitation. Initial access is typically achieved through vishing, where attackers impersonate trusted contacts via phone calls to manipulate law firm employees into divulging credentials or installing remote access software. Phishing emails are also used, often crafted to appear as urgent legal or financial communications, containing malicious links or attachments that facilitate the download of remote access tools.
Once initial access is established, SRG operators deploy commercially available remote administration tools such as Atera, Splashtop, and AnyDesk. These tools are legitimate software products commonly used for IT support, which allows attackers to evade basic security controls and blend in with normal network activity. The attackers use these tools to move laterally within the victim’s environment, escalate privileges, and identify repositories of sensitive data.
Data exfiltration is conducted using utilities such as Rclone and cloud storage services like MEGA. Rclone is an open-source command-line program that facilitates the transfer of files to and from cloud storage providers. By leveraging encrypted channels and legitimate cloud services, SRG minimizes the likelihood of detection during the exfiltration phase.
Unlike conventional ransomware groups, SRG does not deploy file-encrypting malware. Instead, the group focuses exclusively on data theft and extortion. Victims receive extortion demands threatening the public release of stolen data unless payment is made. This “pure extortion” model increases pressure on law firms, given the potential for severe reputational damage and regulatory penalties associated with data breaches.
Technical analysis of SRG’s tactics, techniques, and procedures (TTPs) aligns with several MITRE ATT&CK techniques, including phishing (T1566), valid accounts (T1078), remote access software (T1219), and data exfiltration to cloud storage (T1567.002). The group’s operational security is high, with frequent use of anonymization services and encrypted communications to hinder attribution and response.
Evidence supporting these findings includes forensic artifacts recovered from compromised environments, network traffic analysis showing the use of remote access tools and cloud exfiltration, and victim reports collected by law enforcement. The quality of evidence is high, with multiple independent sources corroborating the technical details and attribution to SRG.
Affected Versions & Timeline
The SRG campaign has targeted a broad range of U.S. law firms, regardless of size or specific legal specialization. There is no evidence to suggest that particular versions of software or operating systems are uniquely vulnerable; rather, the attacks exploit human factors and the widespread use of remote access tools. The affected products include Atera, Splashtop, AnyDesk, Rclone, and MEGA, all of which are legitimate tools repurposed for malicious activity.
The timeline of the campaign is as follows: Initial reconnaissance and targeting activities were observed in early April 2026, with the first confirmed intrusions reported in late April 2026. The FBI and IC3 issued public advisories in May 2026, following a surge in reported incidents. Technical analyses and sector-specific warnings were published by cybersecurity firms and industry groups throughout May and June 2026. The campaign remains active as of the date of this report, with ongoing attempts to compromise additional law firms.
Threat Activity
SRG’s threat activity is characterized by a sophisticated blend of social engineering and technical exploitation. The group conducts detailed reconnaissance to identify potential targets within law firms, often focusing on individuals with access to sensitive data or administrative privileges. Vishing attacks are tailored to exploit trust relationships, with attackers posing as IT staff, vendors, or clients to persuade victims to install remote access software or disclose credentials.
Phishing emails are crafted to bypass spam filters and exploit legal sector workflows, frequently referencing ongoing cases, regulatory deadlines, or financial transactions. Once inside the network, SRG operators use remote access tools to establish persistent access, escalate privileges, and map the internal environment. The attackers prioritize the identification and exfiltration of high-value data, including client files, case notes, financial records, and regulatory correspondence.
Data exfiltration is conducted in a stealthy manner, using Rclone to transfer files to MEGA or other cloud storage services. The attackers employ encryption and anonymization techniques to evade detection and hinder forensic analysis. Extortion demands are delivered via email or secure messaging platforms, with threats to publish or sell stolen data if payment is not received.
The impact of these attacks extends beyond immediate financial loss. Law firms face significant reputational harm, potential regulatory penalties for data breaches, and disruption to client services. The legal sector’s reliance on confidentiality and trust amplifies the consequences of data exposure, making SRG’s extortion tactics particularly effective.
Mitigation & Workarounds
Mitigation of SRG attacks requires a multi-layered approach, with priority given to the following critical controls. Implement multi-factor authentication (MFA) for all remote access and privileged accounts to prevent unauthorized access, even if credentials are compromised. Conduct regular employee security awareness training, with a focus on recognizing vishing and phishing attempts, and establish clear protocols for verifying requests to install software or disclose sensitive information. Restrict the use of remote access tools such as Atera, Splashtop, and AnyDesk to authorized IT personnel only, and monitor for unauthorized installations or unusual usage patterns.
Monitor network traffic for signs of data exfiltration, particularly outbound connections to cloud storage services like MEGA and the use of utilities such as Rclone. Implement data loss prevention (DLP) solutions and configure alerts for large or unusual file transfers. Maintain robust incident response plans, including procedures for isolating affected systems, preserving forensic evidence, and communicating with stakeholders and law enforcement.
Review and update access controls to ensure the principle of least privilege is enforced, limiting the exposure of sensitive data to only those who require it for their roles. Regularly audit user accounts and permissions, and promptly disable accounts for departing employees or those no longer requiring access.
Apply security patches and updates to all systems and software, and ensure that endpoint protection solutions are configured to detect and block the installation of unauthorized remote access tools. Engage with trusted cybersecurity partners for threat intelligence and incident response support as needed.
References
FBI Public Service Announcement: https://www.ic3.gov/Media/News/2026/PSA05012026
IC3 Advisory on Legal Sector Extortion: https://www.ic3.gov/Media/News/2026/LegalSectorExtortion
CrowdStrike Analysis of Luna Moth/SRG: https://www.crowdstrike.com/blog/luna-moth-ransomware-extortion-campaign/
Dark Reading Coverage of SRG Attacks: https://www.darkreading.com/attacks-breaches/luna-moth-ransomware-group-targets-law-firms
Help Net Security: https://www.helpnetsecurity.com/2026/05/15/luna-moth-extortion-campaign/
MITRE ATT&CK Techniques: https://attack.mitre.org/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and vendor ecosystem. Our platform enables continuous visibility into vendor security posture, supports incident response coordination, and facilitates compliance with regulatory requirements. For questions or further information, please contact us at ops@rescana.com.
